Implementing passwordless in device-restricted environments
By Rohan Pinto, CTO for 1Kosmos
The increasing reliance on mobile devices for implementing secure, passwordless authentication in workplace settings presents a significant and evolving challenge, especially in environments where the use of mobile technology is heavily restricted, sometimes called Sensitive Compartmented Information Facilities. For example, high-security/privacy call centers, manufacturing floors, or sterile clean rooms — places where traditional methods of authentication, reliant on passwords or mobile devices, fall short.
This is not just a minor inconvenience; it’s a significant barrier to maintaining both security and operational efficiency. In these unique workspaces, password- and device-based authentication not only jeopardizes security but also hampers workflow, creating a critical need for a revolutionary approach.
Understanding the problem
Mobile devices are typically prohibited in call centers, manufacturing environments, shared kiosks and clean rooms due to a confluence of security, safety, and quality control reasons.
In call centers, mobile devices pose a risk of data breaches or unauthorized recording of sensitive information, thereby compromising customer privacy and organizational confidentiality.
In manufacturing settings, they can be a source of distraction, potentially leading to accidents or errors in high-precision work; their electromagnetic interference can also disrupt sensitive machinery.
In clean rooms, used in semiconductor manufacturing or biotech research, mobile devices can introduce contaminants or particulate matter, undermining the stringent sterility and cleanliness standards required.
While shared kiosks, common in banking and retail settings, are at risk from financial fraud.
Additionally, in all these environments, the use of personal devices can facilitate intellectual property theft or corporate espionage. Therefore, the exclusion of mobile devices is a critical measure to ensure security, safety, and the integrity of products and processes.
Authentication obstacles
Implementing identity-based passwordless authentication in workstation-independent environments poses several unique challenges. First and foremost is the issue of interoperability and ensuring that authentication operates seamlessly across a diverse array of systems and workstations. This includes avoiding repetitive registration steps which lead to user friction and inconvenience.
Another critical challenge, without the benefit of mobile devices for biometric authentication, is implementing phishing and credential theft-resistant authentication to protect against advanced threats.
Cost and scalability also represent significant hurdles. Providing individual hardware tokens to each user is expensive in large-scale deployments and introduces productivity risks associated with forgotten, lost, damaged or shared security keys.
Lastly, the need for user convenience and accessibility cannot be understated. Passwordless authentication must not only be secure and robust but also user-friendly and accessible to all employees, irrespective of their technical expertise. This requirement ensures that the system is inclusive and practical for the entire workforce, a crucial factor in its successful implementation and adoption.
FIDO-compliant keys
A promising approach to solving this problem involves the use of FIDO-compliant keys. FIDO (Fast IDentity Online) keys offer a secure and user-friendly way to authenticate without passwords. They can allow employees to move freely between workstations, logging in quickly and securely without passwords or personal devices.
A biometric FIDO security key, when permanently integrated into a device, can allow access to any protected workstation, using biometric data for authentication. This approach not only enhances security but also significantly improves user convenience.
Moreover, adopting public key cryptography in this framework ensures that even if credentials were compromised, the lack of the corresponding private key would render the stolen information useless. This method adds an extra layer of security, safeguarding against common cyber threats.
Finally, this model reduces costs and logistical challenges associated with managing individual tokens or devices for each employee. Instead, a single key per workstation or a shared biometric system could suffice, simplifying the IT infrastructure.
Best practice recommendations
When planning passwordless authentication for workstation-independent environments here are some guidelines to consider:
- Biometrics: use biometrics such as fingerprints or facial recognition for secure authentication.
- Device-less authentication: Implement methods like FIDO keys, combined with biometrics or workstation-based prompts.
- Single Registration System: Deploy a register-once-use-anywhere architecture that allows users to authenticate across multiple workstations.
- Integration with existing infrastructure: Use a standards-based approach like FIDO that works with existing IT systems.
- Robust encryption: Make sure advanced encryption techniques and security protocols are in place to protect data and credentials.
- User-Centric Design: ensuring the system design is intuitive and minimizes workflow disruption.
- Compliance: create and enforce policies to adhere to security and privacy standards that govern your industry.
Transitioning to passwordless authentication in environments where mobile devices are prohibited presents unique challenges but also offers an opportunity to modernize digital security. By embracing biometrics, robust encryption, FIDO-compliant keys, and user-centric design, organizations can create a more secure, efficient, and low friction work environment.
About the author
Rohan Pinto is CTO of 1Kosmos. He previously architected security infrastructure for the Government of Ontario and the Health Information Access Layer for the Province of British Columbia, and is involved in establishing the United States Department of Defense’s Security Access Layer using Common Access Cards (CAC). Pinto is also an active member of the Decentralized Identity Foundation and the FIDO (Fast Identity Online) Alliance.
Article Topics
1Kosmos | biometric authentication | biometric security key | biometrics | cybersecurity | FIDO Alliance | passwordless authentication
Comments